Fault tolerant TTCAN networks
B. Müller, T. Führer, F. Hartwich, R. Hugel, H. Weiler, Robert Bosch GmbH
TTCAN is a time triggered layer using the CAN protocol to communicate in a time trig-gered fashion. As TTCAN is based on CAN it uses the power of CAN´s error detectionmechanisms and robustness, but it also provides a step towards determinism andtime triggered technology.Future system architectures will include applications that need to access more thanone TTCAN controller. This article describes how to build fault-tolerant TTCAN net-works, in particular the mechanisms to synchronize different TTCAN busses. It isshown that it is very easy to implement a synchronized network of any reasonableredundancy level, even if non-trivial architectures (for instance more than a simpledual channel network) are involved. Moreover, this synchronization can be achievedeven when the individual TTCAN busses use different time bases without ever violat-ing the modular integrity of one single bus.
There is a variety of real-time bus-systemsthat are used to connect electronic controlunits in automation or in the automobile.Most of these communication protocolsare one channel systems, i.e. althoughthere are possibly some fault-tolerancemechanisms, there is no really redundanttransmission of messages. In some safetycritical applications however, redundantmessage transmission becomes a re-quirement.A time triggered variant of CAN, denotedin the sequel by TTCAN, is described bythe ISO standard 11898-4 (currently still adraft version). Essentially CAN and henceTTCAN is a one channel system, redun-dancy can only be provided by using mul-tiple TTCAN busses. However, comparedwith intrinsically redundant systems (e.g.FlexRay, TTP/C), the use of multiple sin-gle channel busses introduces the prob-lem of management of redundancy. Thismainly consists of synchronizing the dif-ferent busses, but it must also be ensuredthat the main services of a time triggeredcommunication system (providing a globaltime and a consistent schedule all over thenetwork) can be used by an applicationfrom either of the channels. This means itmust be possible for an application to treatthe set of different busses as one commu-nication system. In the paper it is shownthat the TTCAN interfaces allow to easilycombine TTCAN busses in a modular wayso that this can be achieved even in sys-tem architectures that go far beyond thestandard dual channel scenario.
As fault tolerant TTCAN networks consistof combinations of TTCAN busses we be-gin with a short description of the TTCANbus. The interested reader may find moredetailed descriptions in .
Time triggered communication in TTCANis based on the reference message beingtransmitted regularly by the time master.Following the reference message there isa sequence of time windows that providethe time slots for individual messagetransmissions. There are three types oftime windows: exclusive time windows thatare exclusively reserved for one message,arbitrating time windows during whichmessages can compete for the bus by thenon-destructive arbitrating mechanism ofCAN, and free time windows that are re-served for future extensions of the net-work. The pattern of time windows follow-ing a reference message is called a basiccycle, i.e. each basic cycle starts with areference message and contains an off-line configured set of time windows.In TTCAN not all basic cycles necessarilyhave to be the same. It is possible to dis-tinguish different basic cycles by the cyclecount, a counter that is incremented eachcycle up to the maximum value after whichit is restarted again. Combining all thesedifferent cycles we get the so called matrixcycle which represents the completecommunication overview of a TTCAN net-work.